What Do You Want to Block Today?

By Brien M. Posey | Nov 26, 2001 | Print this Page
http://www.enterprisenetworkingplanet.com/netsecur/article.php/928421/What-Do-You-Want-to-Block-Today.htm

Since the release of Windows XP, there has been a lot of hype about security, and about Windows XPs built-in firewall. Although the built-in firewall certainly seems like a good step in the right direction, it can be a double-edged sword. In this article, Ill explain the good points and the bad points of the Windows XP firewall.

The Windows XP firewall is designed to block all inbound packets, unless those packets are in a direct response to a query that was sent out from the machine. The firewall is designed to help you keep hackers out of your system. As you can see in Figure A, port scanning a Windows XP machine that doesnt have the firewall enabled reveals some information that could be useful to a hacker. However, if you enable the firewall and then perform the same port scan a second time, nothing is revealed.

Figure A
Performing a port scan on a machine without the firewall reveals some useful information
Click to view full-sized in new window
(Click image to view full-sized in a new window)

Figure B
The firewall prevents port scans.
Click to view full-sized in new window
(Click image to view full-sized in a new window)

As you can see, the firewall protects Windows XP against port scanning. Unfortunately though, there are some serious issues involved in using the Windows XP firewall that you need to be aware of.

First, the Windows XP firewall isn't a full featured firewall. Normal firewalls allow you to specifically control each TCP and UDP port. Windows XP's firewall doesn't provide you with this capability. Instead, it takes a point and click approach to enabling or disabling a few common ports, as shown in Figure C. The firewall's logging capabilities are also minimal.

Figure C
Windows XP's firewall allows you to open or close a few common ports
Click to view full-sized in new window
(Click image to view full-sized in a new window)

Because of these described limitations, the Windows XP firewall shouldn't be used to take the place of a normal corporate firewall. Instead, it should be used as a supplement. Remember that your corporate firewall does a good job protecting your organization from external threats, but does noting to protect your organization from internal threats. On the other hand, the Windows XP firewall isn't a suitable replacement for a corporate firewall, but it can help guard workstations from hack attempts originating from within the organization. Therefore, I recommend enabling the Windows XP firewall on your workstations, but using the Windows XP firewall in conjunction with your corporate firewall.

Keep in mind though that even the multilevel firewall architecture that I just described isn't completely secure. The Windows XP firewall does a great job blocking inbound traffic, but makes no attempts to filter outbound traffic. This means that a hacker would have no trouble using your workstations as a part of a distributed denial of service attack. Unfortunately, there's no way to block outbound traffic at the Windows XP level, but you can configure your corporate firewall in a manner that protects your company against being used as a pawn in a Denial of Service attack.

Brien M. Posey is an MCSE who works as a freelance writer. His past experience includes working as the director of information systems for a national chain of health care facilities and as a network engineer for the Department of Defense.